Which owner, and permission settings for apache and FTP setup? (Linux)

I have setup a LAMP, and I am confused about which permissions to use. From what I've read it is often mentioned that files on the web server should be owned by www-data:www-data, as that is the account Apache runs on.

So now my current setting for all web server files are:
-rwxrwxr-x www-data : www-data

The account I log in to FTP is called admin, and is a member of the www-data group. (I’ve read that due to security, it is not possible to log in as www-data)

The problem I have is that I often need to delete files, and copy old files (restoring backup) to the web server through FTP. This means that the files I am uploading to the server will be owned by “admin”, and get default permission as “-rw-r- -r- -“. It isn’t very practical to need to run chown / chmod command every time I load something up. And will it matter if the files are being owned by admin, instead of www-data? As long as www-data is the owner group, wouldn’t that be sufficient for Apache?

What is best practice when it comes to this kind of scenario? Is it possible to automatically make the system apply the wanted ownership/permission to every file that is uploaded to the webserver? Or should I use some other permission settings?

andre_stAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ghodderCommented:
It is fine if the files you are serving with Apache are owned by the 'admin' user. I would recommend they are owned by the 'admin' group as well if you created it, unless you require Apache to be able to modify the files it is serving.

The reason Apache runs as 'www-data' or sometimes 'apache' is so that it's running as an unprivileged user so that in the event that someone discovers a vulnerability, the damage they can cause to your server should be limited.

Having your web files owned by the same user Apache is running as means that an attacker could easily delete those files once they are able to exploit an Apache bug and execute some code.

If Apache runs as a different user to the owner of the files, you just need to chmod 0644 the files and chmod 0755 the directories so that Apache has read access while maintaining write access for your 'admin' user.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
andre_stAuthor Commented:
Thanks for you reply!

Excuse my confusion, but I thought that the apache server needs execution permission for the web content, as it is in php-code. Is it enough to just have 0644 on the files, if apache is not the owner of the files?

Or does 0755 on the directories mean that the apache has permission to execute the files in the folder - even if the files are set to 0644...?
0
andre_stAuthor Commented:
ohh, and it's worth mentioning that I am running WordPress. Which means that users can upload different media files to the web server. I assume that requires Apache (www-data) to have write access, and that all uploaded files, will therefore be owned by www-data?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

mreith80Commented:
First of all I wanted to state one thing,  having the files owned by admin is NOT a good idea under any circumstance.  If an attacker is going to exploit your Web Server better to have him exploit an unprivileged user/group than an 'admin' privileged group.  Any sudo commands, or permissions the admin group is allowed will then pass on to the attacker.  That being, said I know it is annoying but I would not suggest using www-data/www-data.

Additionally, to claify PHP files do not need executable bit set to run, but they do need the execute permission on the directory.

Unfortunately additionally there is no way to retain group ownership to www-data without setting up ACLs.

I hope this helps.

Regards,

Michael

E-Mail: mreith@gmail.com
Blogsite: http://technobloggings.blogspot.com
Twitter:  http://www.twitter.com/therealmreith
YouTube: http://www.youtube.com/technoblob (work in progress, visit back for updates and our premiere!)
0
mreith80Commented:
Oops, I meant "That being, said I know it is annoying but I would not suggest using www-data/www-data"  to read, I WOULD SUGGEST, darn annoying small tiny miniscule laptop keyboard!

<facepalm>


Regards,

Michael

E-Mail: mreith@gmail.com
Blogsite: http://technobloggings.blogspot.com
Twitter:  http://www.twitter.com/therealmreith
YouTube: http://www.youtube.com/technoblob (work in progress, visit back for updates and our premiere!)
0
andre_stAuthor Commented:
Ok guys! Thanks for your help! I've applied the ownership as www-data:www-data, and directories to 0755 and files to 0644.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Apache Web Server

From novice to tech pro — start learning today.